Apple Doubles Payout for Zero-Click Flaws, Launches Expanded Bug Bounty Program

Apple has dramatically increased rewards for the most dangerous security flaws, offering up to $2 million for zero-click remote code execution vulnerabilities and rolling out a broader, reworked bug bounty scheme that can pay researchers more than $5 million in some cases.

The new program raises the top bounty for zero-click exploits, a category of vulnerabilities that allow attackers to compromise devices without any interaction from the victim. Zero-click flaws are prized by advanced threat actors because they can be weaponised remotely, even when targets take cautious security measures. Industry observers say such exploits are rare, yet highly valuable to state-backed espionage groups and sophisticated criminal networks.

Apple’s revamped structure adds new vulnerability categories, higher base payouts, and a bonus system. Lockdown Mode bypasses and bugs discovered in beta software qualify for additional rewards, which can substantially increase the overall payment for a single finding. That bonus framework can push a top reward well above the $2 million base, producing a maximum single payout that exceeds $5 million for the most consequential discoveries.

Alongside the zero-click top tier, the program sets seven figure rewards for other critical exploit types. One-click remote code execution attacks, wireless proximity attacks, broad, unauthorised access to iCloud data, and chained WebKit exploits that allow unsigned arbitrary code execution are among the vulnerabilities now eligible for million dollar payments.

The updated bounty menu also includes significant payouts for attacks that work despite device locks, for app sandbox escape bugs, for WebKit sandbox escapes requiring a single user action, and for complete Gatekeeper bypasses that do not depend on user interaction. These additions reflect a focus on threat vectors that undermine device integrity and user privacy even in locked or highly restricted states.

Security professionals say the move is both an incentive and a signal. Monetary rewards of this scale aim to draw researchers away from underground markets and toward coordinated disclosure channels. For companies and governments, the change acknowledges how valuable zero-click and other high-end vulnerabilities have become, and how much motivation is required to surface them responsibly.

Zero-click attacks have real world consequences. A typical example involves sending a specially crafted message that triggers a vulnerability as soon as it is received, without the recipient having to open the message. Such an exploit could allow remote code execution, data theft, or persistent surveillance on an affected device.

Apple’s announcement follows years of escalating competition among major tech vendors to secure their platforms and to buy down risk through public bug bounty schemes. The company previously offered up to $1 million for zero-click flaws, making the new $2 million ceiling a major increase, and positioning Apple among the most generous bounty sponsors in the industry.

For security researchers, the revamped program creates fresh incentives to probe Apple platforms and to report high-risk findings through official channels. For users and organisations, the change underlines the importance of prompt updates and of defensive measures, since attackers continue to seek and exploit legacy and zero-interaction weaknesses.

As threat actors evolve, so do the countermeasures. Apple’s expanded bounty program is a financial bet that greater rewards will surface the most dangerous bugs before they are abused at scale, helping to reduce the gap between exploit discovery and mitigation.

Photo Credit: DepositPhotos.com